WQL language
参照:About_WQL
1. What is WQL?
WQL is the WMI Query Language (WQL) used to obtain WMI (Windows Management Instrumentation) objects in PowerShell.
2. Why use WQL language?
WQL queries are faster than the standard Get-WmiObject command, and performance has been improved when running the command on hundreds of systems.
3. How to quote WQL statements?
WQL query statement can be used after "Get-WmiObject" and "Get-CimInstance", the structure is as follows
Get-WmiObject -Query "<WQL Query> "
Get-CimInstance -Query "<WQL Query>"
The basic structure of WQL query statement:
Select <property> from <WMI-class> [where <property> <operator> <value>]
Example: Query the detailed information of the Notepad process
Use Get-WmiObject
Get-WmiObject -Query {Select * from Win32_Process where Name = 'Notepad.exe'}
Command output:
__GENUS : 2
__CLASS : Win32_Process
__SUPERCLASS : CIM_Process
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Process.Handle="5444"
__PROPERTY_COUNT : 45
__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : SZ-Test1119
__NAMESPACE : root\cimv2
__PATH : \\SZ-GADZ050761\root\cimv2:Win32_Process.Handle="5444"
Caption : notepad.exe
CommandLine : "C:\WINDOWS\system32\notepad.exe"
CreationClassName : Win32_Process
CreationDate : 20201211175155.893933+480
CSCreationClassName : Win32_ComputerSystem
CSName : SZ-Test1119
Description : notepad.exe
ExecutablePath : C:\WINDOWS\system32\notepad.exe
ExecutionState :
Handle : 5444
HandleCount : 238
InstallDate :
KernelModeTime : 781250
MaximumWorkingSetSize : 1380
MinimumWorkingSetSize : 200
Name : notepad.exe
OSCreationClassName : Win32_OperatingSystem
OSName : Microsoft Windows 10 企业版|C:\WINDOWS|\Device\Harddisk0\Partition2
OtherOperationCount : 110
OtherTransferCount : 2584
PageFaults : 4035
PageFileUsage : 3108
ParentProcessId : 3980
PeakPageFileUsage : 3108
PeakVirtualSize : 2203492605952
PeakWorkingSetSize : 15484
Priority : 8
PrivatePageCount : 3182592
ProcessId : 5444
QuotaNonPagedPoolUsage : 14
QuotaPagedPoolUsage : 244
QuotaPeakNonPagedPoolUsage : 14
QuotaPeakPagedPoolUsage : 244
ReadOperationCount : 1
ReadTransferCount : 60
SessionId : 1
Status :
TerminationDate :
ThreadCount : 7
UserModeTime : 0
VirtualSize : 2203492605952
WindowsVersion : 10.0.19042
WorkingSetSize : 15851520
WriteOperationCount : 0
WriteTransferCount : 0
PSComputerName : SZ-GADZ050761
ProcessName : notepad.exe
Handles : 238
VM : 2203492605952
WS : 15851520
Path : C:\WINDOWS\system32\notepad.exeUse Get-CimInstance
Get-CimInstance -Query "Select * from CIM_Process where Name = 'Notepad.exe'"
Command output:
ProcessId Name HandleCount WorkingSetSize VirtualSize
--------- ---- ----------- -------------- -----------
5444 notepad.exe 237 15912960 2203472412672When using "Get-CimInstance -Query", do not use {} in the following WQL query statement, but need to enclose it with "", otherwise an error will be reported.
Note: When enclosed in {}, it is parsed as a script block, and the WQL in the script block is not entered.
PS C:\> Get-CimInstance -Query {Select * from Win32_Process where Name = 'Notepad.exe'}
Get-CimInstance : 无法评估参数“Query”,因为其参数被指定为脚本块,且没有输入。无法评估没有输入的脚本块。
所在位置 行:1 字符: 24
+ ... tance -Query {Select * from Win32_Process where Name = 'Notepad.exe'}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : MetadataError: (:) [Get-CimInstance], ParameterBindingException
+ FullyQualifiedErrorId : ScriptBlockArgumentNoInput,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInsta
nceCommandAttached are the valid operators in the Where statement in the WQL query language:
Operator Description
-----------------------
= Equal
!= Not equal
<> Not equal
< Less than
> Greater than
<= Less than or equal
>= Greater than or equal
LIKE Wildcard match
IS Evaluates null
ISNOT Evaluates not null
ISA Evaluates a member of a WMI classContents: Return to my PowerShell study notes: https://blog.51cto.com/3chou/2562634